08.01.2019How to approach Information Security and defend your company from cyber attacks

Protecting personal data and commercially sensitive information is becoming more and more important every day. Companies increasingly face the need to find the best solution to ensure information security – this is where Enterprise Architecture (EA) can make the difference.

In today's rapidly-changing world, data runs at the speed of light, and more and more of our daily lives are swiftly transforming into digital processes. Digitization is a reality nowadays, and stepping into the digital world, while being secure has become a priority, for small, medium and large enterprises.

A lot can be learned from the recent attacks on Quora and the British Airways; the British airline was hacked, becoming the victim of a data breach in which the "personal and financial details" of customers were stolen, and more than 380,000 "payment cards” were affected. British Airways has already offered compensation to customers affected by the incident, which may reach a significant amount, especially since many customers alerted by the British Airways and informed about the incident weren’t told whether or not their card details had actually been stolen.

So, what can we learn from this? Nobody is safe from security breaches and Security Management is definitely an Enterprise-wide responsibility, starting from the Business Operational level and ending at the IT workflow level. What this and the many other recent corporate hacks and data leaks show, is that we live in a very vulnerable digital world and hacks can go undetected for quite some time, after which it might already be too late. This is why it is imperative to build robust and secure systems that integrate encryption at every single step of the process, but it is also equally essential to have a tool which helps in detecting all the uncovered and unsafe digital areas of the company.

In other words, a good and stable Information Security Management System (ISMS) needs to be implemented and be kept up to date.

What is an ISMS: Information Security Management System

An Information Security Management System is a set of procedures and rules within a company that serve to permanently define, govern, control, maintain and continuously improve information security. It is an ongoing systematic approach to manage sensitive company information, so that it remains secure. It includes people, processes and IT systems, and applies a risk management process to help small, medium and large businesses keep information assets secure.

A good starting point is with one or more frameworks, in order to define and implement a proper set of rules and procedures based on proven best practices. The ISO 27000 standard – for example – helps organizations keep information assets secure. It is the best-known approach in this family of standards, providing requirements for an information security management system and assisting the organization in managing the security of assets, such as: financial information, intellectual property, employee details or information entrusted by third parties*.

Successfully managing such a collection of assets and risks is where companies have struggled the most and have seen the biggest challenge. This is where organizations with strong Enterprise Architecture (EA) capabilities have been able to succeed, by leveraging their architecture management know-how, in order to deliver a robust and systematic way of understanding their data assets and their related risks.

Why an EA Tool is the keystone for Security Management

1. The role of the Architect:

Together with a good ISMS project, the role of the Enterprise Architect is another important factor to be examined. Every company must be resilient and able to react to any risk , while also being able to understand or predict the impact of the possible threats that could be faced.

In this scenario, the Enterprise Architect is the key role for success, as he is the one able to provide an understanding of the impact of information security at the different levels of the enterprise.By being able to detect and tie the different assets of the company that relate to each information security risk, an Enterprise Architect can easily align the whole process with the business goals and ensure that the company is strong enough to acknowledge and respond to all threats. Last but not least, a good Enterprise Architect knows how much assets of a company are relevant when attempting to improve any gap related to ISMS.

Eventually, this whole new definition of the enterprise will be also used as a blueprint, for defining and scoping the responsibilities with regards to the ISMS initiative.

But how can an Architect execute this complex and time-consuming task and manage a clear set of assets and their dependencies? – Thanks to the best-in-class Enterprise Architecture tool.

2. The role of the EA tool:

A powerful Enterprise Architecture tool like ADOIT makes a difference in every aspect of the company. It enables architects and stakeholders to plan, monitor and analyse every single aspect of the Enterprise, as well as helping the business structure to stay on top of industry trends and market needs. Risk Managers also exploit the benefits of an EA tool, better defining a concrete Road-map of processes and workflows. This kind of software offers a more holistic and disciplined view of the enterprise, and allows an open collaboration between IT and other business units, giving a comprehensive view of IT architecture to anybody outside the IT environment. With this clear and holistic overview, it will also be easier for managers and decision markers to prioritize some investments compared to others, facilitating projects and new services.

In the system and IT development, a tool like ADOIT is really helpful for analyzing the impact of system errors, gaps and security breaches. This approach lets the company focus on detection and response, as well as ensuring resilience to security risks. Therefore, the benefits behind having an Enterprise Architecture tool is in that it provides answers to some of the most important questions related to Information Security:

What is the scope of compliance?Everything starts with the framework, and the answer in that case, is in turning a generic framework into something really meaningful and valuable for the company, and dividing generic compliance requirements into unique requirements. This operation will lead to an internalization of the generic requirements for all the assets of the company, building up smart validity scope rules, and an automated scope definition. Once the requirements are defined, these can then be tied to the relevant infrastructure elements and measures to ensure compliance can be planned and executed.

What and where are the responsibility of the risk assessment?After defining the Architecture compliance scope, the risk assessments have to be identified, defined and then executed. Thanks to an EA tool, every risk assessment can be assigned to the right asset-responsible quite easily, and each of them will be triggered to execute a risk assessment against a particular control objective.Eventually this whole new process will help the company to have an ongoing, automated definition.

What is the level of detail of controls?The benefit of this new scope definition will bring a high level of the work optimization: together with the growth of the company, the assessments and the compliance scope will grow dynamically, as well as the definition of the Enterprise.Keeping traceability from the general framework and the general requirements, all the way down to the new and necessary mechanisms required for risk assessment is an invaluable advantage, and together with an EA tool, the results of these assessments will be presented to the user in a dashboard within the software, thus giving a whole overview of what is currently happening in much greater detail of control.Team members will finally be able to develop a good incident response plan to protect the whole organization, and ensure security and safety of the entire company and most importantly, of customers. This company shift will translate itself in more data inputs, new business models and new challenges from an Information Security perspective.

Final thoughts

Gartner predicts that there will be 20.4 billion devices connected worldwide by 2020**, and the other side of this coin entails a vast network of potential hackers, with an equivalent vast array of easy access points to take advantage of. The future of IT is set to increase and this huge change will let risks grow in the same magnitude. But at the same time, companies that see an increase in the amount of info they collect, will also have a bigger appetite for using that information in a more dynamic way and providing the customers with a faster and more up-to-date to interaction with their services.

Information Security Management is going to grow in importance, magnitude and impact and if several companies lost millions and millions of dollars due to cyber attacks, the answer will definitely be succeeding in ISMS together with all the stakeholders and leverage the definition of the enterprise to understand, monitor and be aware of such an initiative.

Certainly collaborative approach will be the key scenario for this new and profitable challenge.

If you don't want to waste any more time, come along and check out all the capabilities that our ADOIT – named a Leader in the Forrester Wave of Enterprise Architecture Management Suites – can offer you and schedule a completely and totally free live DEMO with one of our experts.